Emerging Threats: End-to-End Encryption (E2EE)

By Melissa McDonough

Law enforcement officers today are faced with many new applications that that allow users to communicate or store information privately. As consumers become more concerned with privacy and security, the use of these applications continues to rise. And they aren’t just for criminals or spooks – secure messaging apps have gained widespread popularity among the general populace.

The novelty of these apps is that rather than encrypting only part of a conversation, the entire conversation is encrypted, enabling what is commonly called end-to-end encryption (E2EE). This technique prevents Internet Service Providers (ISPs), law enforcement, and even the application developers from viewing the contents of a conversation. While metadata may be available that reveals that two parties communicated, contents of E2EE communications are unavailable since they are encrypted at the source. Unsurprisingly, government leaders argue that E2EE provides criminals and terrorists with the technology needed to covertly conduct illegal activities.

Law enforcement officers have reason to worry about this. Just last year, WhatsApp and Telegram were used to facilitate secure communications between terrorists in the recent attacks in Paris. The Islamic State of Iraq and Syria (ISIS) has even published an official guide to operational security, in which the organization provided advice to recruits on how to evade detection from law enforcement and intelligence services.

However, the vast majority of users of E2EE technology are regular citizens who simply want increased privacy and security for their phones and mobile applications. As of early 2016, 1 in 7 people worldwide use WhatsApp. Each year, the number of secure messaging applications continues to grow, with the popularity of mobile messaging apps increasing worldwide. Secure apps appeal to a wide range of users, with some users appreciating the novelty of encryption and “self-destructing” messages, and others seeking to avoid “Big Brother” amid ongoing allegations of government domestic surveillance.

While the strength of encryption provided with E2EE is impressive, the technology is far from completely secure. Hackers have used some strategies, including Man-in-the-Middle (MITM) attacks, to gain access to encrypted data. In MITM attacks, a hacker gains access to the encryption code, either through impersonating a message recipient or by manipulating website certificate authorities, to trick users into using encryption keys that are known to the hacker. This allows the hacker to gain access to all encrypted data without alerting users.

Hackers could also simply attack an individual’s smart phone or computer to obtain the encrypted data, bypassing the need to conduct a MITM attack. Although encryption is a useful security tool, the information is only as safe as the computer or device it is stored on.

The US Government has long identified E2EE a threat to national security, which has led some lawmakers to seek to change legislation on this issue. Senators Diane Feinstein and Richard Burr currently have a draft bill known as the “Compliance with Court Orders Act of 2016” that would make it illegal for companies to store encrypted data on their servers without the ability to provide an encryption key. In short, this would make E2EE technology illegal, and prevent tech companies from encrypting both communications and devices.

The bill would also impact the amount of assistance firms are required to provide law enforcement authorities. Tech firms are currently required to provide “reasonable assistance” to law enforcement during the course of an investigation. This bill would change the language to “assistance as necessary,” which would force tech firms to go to greater lengths to provide data to law enforcement authorities.

E2EE, like many emerging technologies, presents new challenges to law enforcement and security professionals. While the future legality of E2EE remains unknown, the debate over privacy versus security will likely remain for years to come. Until legislative guidance on encryption technology is reached, there remain many grey areas in dealing with privacy and big data.

IACP Conference